Abstract
We report a novel attack on two CAPTCHAs that have been
widely deployed on the Internet, one being Google's home design
and the other acquired by Google (i.e. reCAPTCHA). With a
minor change, our attack program also works well on the latest
ReCAPTCHA version, which uses a new defence mechanism that
was unknown to us when we designed our attack. This suggests
that our attack works in a fundamental level. Our attack appears
to be applicable to a whole family of text CAPTCHAs that build
on top of the popular segmentation-resistant mechanism of
"crowding character together" for security. Next, we propose a
novel framework that guides the application of our well-tested
security engineering methodology for evaluating CAPTCHA
robustness, and we propose a new general principle for
CAPTCHA design.
Users
Please
log in to take part in the discussion (add own reviews or comments).